Re: ssh attacks

2006-06-07 Thread Joachim Schipper
On Wed, May 31, 2006 at 10:19:42PM +0200, Matthias Kilian wrote: On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking

Re: ssh attacks

2006-06-07 Thread Peter Fraser
I was thinking of redirecting all the ssh attacks to spamd. spamd is a program that is used to having bad guy attaching it, so it should not effect the security. Then using the max-src-conn-rate to block them. My actual problem is less with ssh then the Microsoft vpn. I trust the people who

Re: ssh attacks

2006-06-07 Thread knitti
On 6/7/06, Peter Fraser [EMAIL PROTECTED] wrote: My actual problem is less with ssh then the Microsoft vpn. I trust the people who have ssh connections to have good passwords, It the people with vpn connections that I don't trust. And I of course would do the same trick with the vpn port. for

Re: ssh attacks

2006-06-01 Thread Joakim Aronius
: Wednesday, May 31, 2006 3:02 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: ssh attacks On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global

Re: ssh attacks

2006-06-01 Thread Jason Stubbs
Matthias Kilian wrote: On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack

Re: ssh attacks

2006-06-01 Thread Alexander Hall
Tobias Ulmer wrote: This topic comes up in regular intervals of 6 month on every *nix mailinglist i'm on. It's stupid (sorry, but it is): Gained security = 0% Leave it just as it is. You don't have anything to fear anything if you use decent passwords. Otherwise don't offer a ssh

Re: ssh attacks

2006-05-31 Thread Matthias Kilian
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. See the example on

Re: ssh attacks

2006-05-31 Thread Peter Fraser
want to use the information that someone was trying to ssh to those address to identify person as an attacker. -Original Message- From: Matthias Kilian [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 3:02 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: ssh attacks On Wed, May

Re: ssh attacks

2006-05-31 Thread Terry
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: Right now someone is trying out each IP address I have with an ssh attack. Only one of those IP addresses is enabled for ssh. I have a (max-src-conn-rate 100/10, overload bad_guys flush global) on that address. I would like to

Re: ssh attacks

2006-05-31 Thread Darrin Chandler
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: Right now someone is trying out each IP address I have with an ssh attack. Only one of those IP addresses is enabled for ssh. I have a (max-src-conn-rate 100/10, overload bad_guys flush global) on that address. I would like to

Re: ssh attacks

2006-05-31 Thread Clint M. Sand
to ssh to those address to identify person as an attacker. -Original Message- From: Matthias Kilian [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 3:02 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: ssh attacks On Wed, May 31, 2006 at 02:54:16PM -0400, Peter

Re: ssh attacks

2006-05-31 Thread Matthias Kilian
On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack on address 4. I

Re: ssh attacks

2006-05-31 Thread A. Khattri
On Wed, 31 May 2006, Peter Fraser wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack on address 4. I never want to pass ssh

Re: ssh attacks

2006-05-31 Thread Smith
This has been asked before, and I tried many of the suggestions given especially with pf (max-src-conn). But the simplest way to stop this, is to change your ssh port. You can do all that tweaking in pf but your logs will still show that someone tried, just that your logs will be smaller.

Re: ssh attacks

2006-05-31 Thread Tobias Ulmer
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: Right now someone is trying out each IP address I have with an ssh attack. Only one of those IP addresses is enabled for ssh. I have a (max-src-conn-rate 100/10, overload bad_guys flush global) on that address. I would like to